PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 1,04 MB
SHA-256 Hash: D427EFCD6164451C4F1F663A9FCA0E7DB0ABFD0BE4AFA6D25753808CC87EF887
SHA-1 Hash: EBD8E8C5A99FB7FF8F1FDD80ACB5A84E783A809E
MD5 Hash: B19F8D47C021798B331E33E8A7B9F660
Imphash: 270D1212AAA4FE8812E21A7441C53281
MajorOSVersion: 6
CheckSum: 0010E8AE
EntryPoint (rva): 2903B0
SizeOfHeaders: 1000
SizeOfImage: 2AE000
ImageBase: 400000
Architecture: x86
ExportTable: 216060
ImportTable: 2AD608
Characteristics: 102
TimeDateStamp: 67415113
Date: 23/11/2024 3:50:43
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: UPX0, UPX1, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator
[Incomplete Binary or Compressor Packer - 1,64 MB Missing]
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
UPX0 E0000080 (Executable) (Writeable) 400 0 1000 1A8000
UPX1 E0000040 (Executable) (Writeable) 400 E7800 1A9000 E8000
.rsrc C0000040 (Writeable) E7C00 1CA00 291000 1D000
Description:
InternalName: TrellixSmartInstall.exe
OriginalFilename: TrellixSmartInstall.exe
CompanyName: Musarubra US LLC.
LegalCopyright: Copyright (C) 2024 Musarubra US LLC. All rights reserved
ProductName: Trellix Agent
FileVersion: 5.8.3.622
Entry Point:
The section number (2) - (UPX1) have the Entry Point
Information -> EntryPoint (calculated) - E77B0
Code -> 60BE00905A008DBE0080E5FF57EB0B908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11
PUSHAD
MOV ESI, 0X5A9000
LEA EDI, [ESI - 0X1A8000]
PUSH EDI
JMP 0X101A
NOP
MOV AL, BYTE PTR [ESI]
INC ESI
MOV BYTE PTR [EDI], AL
INC EDI
ADD EBX, EBX
JNE 0X1021
MOV EBX, DWORD PTR [ESI]
SUB ESI, -4
• ADC EBX, EBX
• JB 0X1010
MOV EAX, 1
ADD EBX, EBX
JNE 0X1033
MOV EBX, DWORD PTR [ESI]
SUB ESI, -4
Signatures:
CheckSum Integrity Problem:
Header: 1108142
Calculated: 1146556
Rich Signature Analyzer:
Code -> 262BA2B2624ACCE1624ACCE1624ACCE12932CFE06C4ACCE12932C9E0B94ACCE1042531E16C4ACCE1303FC8E0704ACCE1303FCFE07B4ACCE16B3248E1634ACCE1303FC9E0494ACCE12932C8E0744ACCE12932CDE07B4ACCE1624ACDE11F4BCCE1DB3FC9E0664ACCE1DB3FC8E0C448CCE1DB3FC5E05F4ACCE1DB3FCCE0634ACCE1DB3F33E1634ACCE1624A5BE1634ACCE1DB3FCEE0634ACCE152696368624ACCE1
Footprint md5 Hash -> 49D72C2B5AD6FDDDF5DDE12C4B583647
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler:
Compression: UPX - Version: 3.08
Detect It Easy (die)
PE: packer: UPX(3.08)[NRV,brute]
PE: linker: Microsoft Linker(14.29**)[EXE32,admin,signed]
PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 7.70398
Suspicious Functions:
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
File Access:
WS2_32.dll
WLDAP32.dll
WINTRUST.dll
USER32.dll
SHELL32.dll
RPCRT4.dll
PSAPI.DLL
CRYPT32.dll
COMCTL32.dll
ADVAPI32.dll
KERNEL32.DLL
File Access (UNICODE):
TrellixSmartInstall.exe
Interest's Words:
exec
ping
URLs:
http://ocsp.globalsign.com/rootr103
http://crl.globalsign.com/root.crl
http://ocsp.globalsign.com/rootr30;
http://secure.globalsign.com/cacert/root-r3.crt
http://crl.globalsign.com/root-r3.crl
http://ocsp.globalsign.com/codesigningrootr450F
http://secure.globalsign.com/cacert/codesigningrootr45.crt
http://crl.globalsign.com/codesigningrootr45.crl
http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt
http://ocsp.globalsign.com/gsgccr45codesignca20200V
http://crl.globalsign.com/gsgccr45codesignca2020.crl
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
https://www.globalsign.com/repository/
https://www.trellix.com/
https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</bsurl
https://?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverip
https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverNetbios
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
EP Rules: UPX -> www.upx.sourceforge.net
EP Rules: UPX v0.89.6 - v1.02 / v1.05 - v1.22
EP Rules: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
Resources:
Path DataRVA Size FileOffset CodeText
\BITMAP\103\1033 247360 280E4 9E760 1CD50EBB8D709FC0BF28047431FF4904DBD2FE48C9E2E65959C9C23B013CA3DF250CE206530448A0214213773D8379089160.....p...(.t1.I....H...YY..;.<..%...S.H.!B.w=.y..
\ICON\1\1033 291314 468 E7F14 280000001000000020000000010020000000000000040000130B0000130B0000000000000000000000000000000000000000(....... ..... ...................................
\ICON\2\1033 291780 10A8 E8380 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\3\1033 29282C 25A8 E942C 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000000000000000000000000(...0........ ......$............................
\ICON\4\1033 294DD8 4228 EB9D8 280000004000000080000000010020000000000000400000130B0000130B0000000000000000000000000000000000000000(...@......... ......@............................
\ICON\5\1033 299004 10828 EFC04 280000008000000000010000010020000000000000000100130B0000130B0000000000000000000000000000000000000000(............. ...................................
\ICON\6\1033 2A9830 3784 100430 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000374B4944415478DAED9D79B4674575.PNG........IHDR.............\r.f..7KIDATx...y.gEu
\DIALOG\101\1033 22B310 13A 82710 7B0F6CFB9255F082B25085158B4B4CEC6470382B4DB1114DFCB0F9FD19944AC17D0B515BF3BC8F9740DD9A349635E004E8D1{.l..U...P...KL.dp8+M..M......J.}.Q[....@..4.5....
\DIALOG\105\1033 22B450 160 82850 5F5030ED78AC003FE64F8AD2A2E634E2B8177574D175B6282CCA885256714B1F8FA94B1380D95C386C095E14BD9887057007_P0.x..?.O....4...ut.u.(,..RVqK...K...\8l......p.
\DIALOG\106\1033 22B5B0 BC 829B0 8B0EBB424F4081E1067202CAE21112A48EA9008C08F2FA732074C118D658934526986B6B68C45873DF7A80060356DE2F7805...BO@...r.............s t...X.E&.kkh.Xs.z...V./x.
\GROUP_ICON\102\1033 2ACFB8 5A 103BB8 00000100060010100000010020006804000001002020000001002000A810000002003030000001002000A825000003004040............ .h..... .... .......00.... ..%....@@
\VERSION\1\1033 2AD018 360 103C18 600334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000800.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 2AD37C 289 103F7C 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String:
• TrellixSmartInstall.exe
• 5.8.3.622
• ~wfk.
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• <bsurl>https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</bsurl>
• <serverip>https://?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverip>
• <serverNetbios>https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverNetbios>
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 709992 64,9743%
Null Byte Code 80248 7,3438%
© 2025 All rights reserved.